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Abstract. The paper develops a novel approach to stream cipher design: Both the state update 
function and the output function of the corresponding pseudorandom generators are compositions of 
arithmetic and bitwise logical operations, which are standard instructions of modern microprocessors. 
Moreover, both the state update function and the output function are being modified dynamically 
during the encryption. Also, these compositions could be keyed, so the only information available to 
an attacker is that these functions belong to some exponentially large class. 

The paper shows that under rather loose conditions the output sequence is uniformly distributed, 
achieves maximum period length and has high linear complexity and ^-error linear complexity. Ciphers 
of this kind are flexible: One could choose a suitable combination of instructions to obtain due perfor- 
mance without affecting the quality of the output sequence. Finally, some evidence is given that a key 
recovery problem for (reasonably designed) stream ciphers of this kind is intractable up to plausible 
conjectures. 



1. Introduction 

A classical stream cipher is usually thought of as a pseudorandom generator which produces a 
keystream, that is, a binary random-looking string. Encryption procedure is just a bitwise addition 
modulo 2 (also called XORing) of the keystream to a plaintext, which is represented as a binary string 
either. That is, a pseudorandom generator is an algorithm that takes a short random string (a key, 
or a seed) and expands it into a very long random-looking string, a keystream. 

To make software implementations of these algorithms platform-independent as well as to achieve 
high performance, the algorithms must use only those instructions that are common for contemporary 
processors. These instructions are numerical operations (addition, multiplication, subtraction,..) and 
logical ones (bitwise exclusive or, XOR, bitwise and, and, etc.). 

All these numerical and bitwise logical operations, and whence, all their compositions, belong to a 
special class of mappings from n-bit words into n-bit words: Each i*^ bit of the output word depends 
only on bits 0,1, ... ,i of input words. This fact underlies a number of results that enable one to 
determine whether a function of this kind is one-to-one, i.e., induces a permutation on n-bit words, or 
whether this permutation is a single cycle, or whether the function is balanced; that is, for each n-bit 
word the number of all its preimages is exactly the same, etc. Systematical studies of these properties 
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^These mappings are well-known mathematical objects (however, under different names: Compatible mappings in 
algebra, determined functions in automata theory, triangle boolean mappings in the theory of Boolean functions, functions 
that satisfy Lipschitz condition with constant 1 in p-adic analysis) dating back to 1960**^ [22], [24]. Usefulness of these 
mappings in cryptography has being directly pointed out since 1993 by V.S. Anashin [9], [3], [4], [5], [6], [7]. The name 
"T-functions" for these mappings was suggested by A. Klimov and A. Shamir in 2002 [17]. 



2 



VLADIMIR ANASHIN 



for the above mentioned mappings were started by [9] and [3] (see also [4]) followed by [19], [5], [6], 
[7], [8], as well as by later works [17], [16], and [15]. 

The main goal of the paper is to present a mathematical background for a novel approach to the 
design of stream ciphers.^ In this design, recurrence laws that define the key-stream are combinations 
of the above mentioned numerical and logical operations; moreover, these laws are being dynamically 
modified during encryption. Nevertheless, under minor restrictions we are able to prove that the 
key-stream has the longest (of possible) period, uniform distribution, and high linear complexity as 
well as high £-error linear complexity and high 2-adic span. To give an idea of how these algorithms 
look like, consider the following illustrative example. 

Let m = 3 (mod 4), 3 < m < Take m arbitrary compositions vo{x), . . . ,Vm-i{x) of the 

above mentioned machine instructions (addition, multiplication, XOR, and, etc.), then take another 
m arbitrary compositions wo{x), . . . ,Wm-iix) of this kind. Arrange two arrays V and W writing 
these Vj{x) and Wj{x) to memory in arbitrary order. Now choose an arbitrary xq G {0, 1, ... 2" — 1} 
as a seed. The generator calculates the recurrence sequence of states Xj+i = (i mod m + + 4 • 
Vi modmixi)) mod 2"- and outputs the sequence = (1 + 7r{xi) + A - Wi mod m(7r(xj))) mod 2", where vr 
is a bit order reverse permutation, which reads an n-bit number z G {0, 1, . . . , 2*^ — 1} in a reverse bit 
order; e.g., 7r(0) = 0,7r(l) = 2"-i,7r(2) = 2"-2,7r(3) = 2"-2 + 2"-^, etc. Then the sequence {xj of 
n-bit numbers is periodic; its shortest period is of length 2"m, and each number of {0, 1, . . . , 2" — 1} 
occurs at the period exactly m times. Moreover, replacing each number Xi in {xi} by an n-bit word 
that is a base-2 expansion of x,, we obtain by concatenation of these n-bit words a binary counterpart 
of the sequence {xj}, i.e., a binary sequence {xj}' with a period of length 2"mn. This period is random 
in the sense of [18, Section 3.5, Definition Ql] (see (4.3.1) further); each fc-tuple (0 < /c < n) occurs in 
this sequence {xj}' with frequency^ ^ exactly. The output sequence {zi} of numbers is also periodic; 
its shortest period is of length 2"'m; each number of {0, 1, . . . , 2" — 1} occurs at the period exactly 
m times. Finally, length of the shortest period of every binary subsequence {5s{zi): i = 0,1,2,...} 
obtained by reading s*^ bit 6s{zi) (0 < s < n — 1) of each member of the sequence {zi} is a multiple 
of 2""; linear complexity of this binary subsequence {5s{zi)} (as well as linear complexity of binary 
counterparts {zi}' and {xj}') exceeds 2"'"^. 

Ciphers of this kind are rather flexible. For instance, in the above example one can take m = 2^ 
instead of odd m = 3 (mod 4) and replace i mod m in the definition of the state transition functions 
by an arbitrary Cj G {0, 1, . . . , 2^^ — 1}. To guarantee the above declared properties both of the state 
sequence and of the output sequence one must only demand that cq + ci + • • • + Cm-i = 1 (mod 2). 
Moreover, one can take instead of vr an arbitrary permutation of bits that takes the leftmost bit to 
the rightmost position (for instance, a circular 1-bit rotation towards higher order bits, which is also a 
standard instruction in modern microprocessors). Also, one can replace the second + in the definition 
of the state transition and/or output functions with © (i.e., with XOr), or take the third summand in 
the form 2 • (u)(7r(x) + 1) — w{'k{x))) (or 2 • {w{'k{x) + 1) + N0T{w{7r{x)))) instead of 4 • u;(7r(xj)), etc. 
Once again we emphasize that both v and w could be arbitrary compositions of the above mentioned 



'This approach has been already resulted in a very fast and flexible stream cipher ABC v. 2, see [10], [2]. 
'we count overlapping fc-tuples either 
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Figure 1 . Ordinary PRNG 
machine instructions (and derived ones); e.g., in the above example one might take^ 

^" 3 + 4- (5 + 6x5)^' XOR^^ j 

We assume here and on that all the operands are non-negative integer rationals represented in their 
base-2 expansions; so, for instance, 2 = 1xor3 = 2 and 7 = not 13 (mod 8), ^ = 3~^ = 11 = —5 

(mod 16), 3~3 = 3"*^^ = 3~^ = 11 (mod 16), etc. Up to this agreement the functions v and w are well 
defined. The performance of the whole scheme depends only on the ratio of 'fast' and 'slow' operations 
in these compositions; one may vary this ratio in a wide range to achieve desirable speed. 

The paper is organized as follows. Section 2 concerns basic facts about functions we use as 'building 
blocks' of our generators. Section 3 describes how to construct a generator out of these blocks. Section 
4 studies properties of output sequences of these generators, and Section 5 gives some reasoning why 
(some of) these generators could be provably secure. Due to the space constraints, no proofs are given. 

2. Preliminaries 

Basically, the generator we consider in the paper is a finite automaton 21 = {N, M, f, F, uq) with a 
finite state set N, state transition function f : N ^ N, finite output alphabet M, output function 
F : N ^ Ad and an initial state (seed) uq G A^. Thus, this generator (see Figure 1) produces a 
sequence 

S = {F(no), F(/(no)), F(/(2) (no)), F(/(^)(uo)), . . .} 

over the set M, where 

/(^■)(uo) = /(^uo)...) (j = l,2,...); /W(no) = no. 

j times 




this example is of no practical value; it serves only to illustrate how 'crazy' the compositions could be 
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Automata of the form 21 could be used either as pseudorandom generators per se, or as components 
of more compHcated pseudorandom generators, the so called counter- dependent generators (see Figure 
2); the latter produce sequences {zq, zi, Z2, ■ ■ ■} over M according to the rule 

(2.0.1) zq = Fo{uo),ui = /o(no); ■ ■ . Zi = Fi{ui),Ui+i = fi{ui); . . . 

That is, at the {i + 1)**^ step the automaton 2li = {N, M, fi, Fi,Ui) is applied to the state Ui G A^, 
producing a new state Uj+i = fi{ui) G N, and outputting a symbol Zj = Fi[ui) G M. 
Now we give a more formal 

2.1. Definition. Let 2lj = {N, M, fj, Fj) be a family of automata with the same state set and 
the same output alphabet M indexed by elements of a non-empty (possibly, countably infinite) set 
J (members of the family need not be necessarily pairwise distinct). Let T: J ^ J be an arbitrary 
mapping. A wreath product of the family {2lj} of automata with respect to the mapping T is an 
automaton with the state set N x J, state transition function f{j,z) = {fj{z),T{j)) and output 
function F(j,z) = Fj(z). The state transition function f{j,z) = {fj{z),T{j)) is called a wreath 
product of a family of mappings {fj : j G J} with respect to the mapping T ^. We call fj (resp., Fj) 
clock state update (resp., output) functions. 

It worth notice here that if J = No and Fi does not depend on i, this construction gives us a 
number of examples of counter-dependent generators in the sense of [23, Definition 2.4], where the 
notion of a counter-dependent generator was originally introduced. However, we use this notion in a 
broader sense in comparison with that of [23]: In our counter-dependent generators not only the state 
transition function, but also the output function depends on i. Moreover, in [23] only a special case 
of counter-dependent generators is studied; namely, counter-assisted generators and their cascaded 
and two-step modifications. A state transition function of a counter- assisted generator is of the form 
fi{x) = i-kh{x), where ★ is a binary quasigroup operation (in particular, group operation, e.g., -|- or 
xor), and h{x) does not depend on i. An output function of a counter-assisted generator does not 
depend on i either. Finally, our constructions provide long period, uniform distribution, and high 
linear complexity of output sequences; cf. [23], where only the diversity is guaranteed. 

Throughout the paper we assume that A^ = Iln(p) = {0, 1, . . . ,p" — 1}, M = Im{p), m < n, where 
p is a prime. Moreover, mainly we are focused on the case p = 2 as the most suitable for computer 
implementations. It is convenient to think of elements z G Iln.(p) as base-p expansions of rational 
integers: 

z = 5^,iz)+5^,{z).p + ... + 6^^_,{z)-p--'; 

here S^{z) G {0, 1, . . . ,p — 1}. For p = 2 we usually omit the superscript, when this does not lead to 
misunderstanding. Further we usually identify In(p) with the ring Z/p" of residues modulo p". 

As said above, we consider bitwise logical operators as functions defined on the set Nq = {0, 1, 2, . . .} 
Machine instructions SHRm and SHL^ — an m-bit right shift (• m, which is a multiplication by 2"*) and 
an m-bit left shift (• ^ m, integer division by 2"^, i.e., [2P^\ , with [qJ being the greatest rational integer 
that does not exceed a) are defined on Nq either. Note that since this moment throughout the paper 
we represent integers i in reverse bit order — less significant bits left, according to their occurrences in 
2-adic canonical representation ofi = 5Q{i) + 5i{i)-2 + 62{i)-4: + . . .; so 0011 is 12, and not 3. Moreover, 
one may think about these logical and machine operators, as well as of numerical, i.e., arithmetic ones 



'cf. skew shift in ergodic theory; cf. round function in the Feistel network. We are using a term from group theory. 
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Figure 2. Counter-dependent PRNG 



(addition, multiplication, etc.), as of functions that are defined on (and valuated in) the set TLi of all 
2-adic integers^ (see [3, 5]), e.g., xORy = (<5o(a;) V 5o(y)) + ((^1(2;) V 5i(y)) • 2 + ((52(x) V 52(y)) • 2^ + . . .. 

A common feature of the above mentioned operations is that they all, with exception of shifts 
towards less significant bits and circular rotations^, are compatible, i.e., u!{u,v) = uj{ui,vi) (mod 2^) 
whenever both congruences u = ui (mod 2*^) and v = vi (mod 2'') hold simultaneously. The notion 
of compatible mapping could be naturally generalized to multivariate mappings (Z/p')* (Z/p')* 
and (Zp)* — > (Zp)** over a residue ring modulo (resp., the ring Zp of p-adic integers). Obviously, a 
composition of compatible mappings is a compatible mapping. We list now some important examples 
of compatible operators (Zp)^ — > Zp, p prime (see [5]). Part of them originates from arithmetic 
operations: 

multiplication, • : (u, v) ^ uv; 
addition, + : {u,v) ^ u + v; 
subtraction, — : (n, u) 1— > ti — 
(2-1.1) exponentiation, tpi {u,v) ^ u ]p v = {I + puY; in particular, 

raising to negative powers, u |p (— r) = (1 +pu)~^ ,r G N; and 

u 

division, /p : u/pV = u ■ {v Ip (—1)) = . 



The latter ones within the context of this paper could be thought of as countable infinite binary sequences with 
members indexed by 0, 1,2,.. .; Z2 is a metric space with respect to the 2-adic norm ||a||2 = 2"*^, where k is the number 
of the first zero members of the sequence a £ Z2: ||0|| = ||000 . . . II2 = 0, ||1|| = ||100. . . II2 = 1, ||2|| = ||010. . . II2 = ^, 
etc. 

'''nevertheless, the both are used in further constructions 
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The other part originates from digitwise logical operations of p-valued logic: 

digitwise multiplication uQpV : 5j{u Qp v) = 5j{u)5j{v) (mod p); 
(2.1.2) digitwise addition u(BpV : 5j{u (Bp v) = 6j{u) + 5j{v) (mod p); 

digitwise subtraction uQpV: 6j{u Qp v) = 5j{u) — 5j{v) (mod p). 

Here Sj{z) {j = 0, 1, 2, . . .) stands for the j^^ digit of z in its base-p expansion. 

More compatible mappings could be derived from the above mentioned ones. For instance, a 
reduction modulo p", n G N, is u mod p^ = u Qp ^pZi ; ^-step shift towards more significant digits 
is just a multiplication by p', etc. Obviously, u 02 f = n and v, u(B2V = u xor v. Further in case p = 2 
we omit subscripts of the corresponding operators. 

In case p = 2 compatible mappings could be characterized in terms of Boolean functions. Namely, 
each mapping T: Z/2" — > Z/2" could be considered as an ensemble of n Boolean functions , 
i = 0, 1, 2, . . . , n - 1, in n Boolean variables Xo, ■ ■ ■ , Xn-i by assuming Xi = ^iiu), (xo, • • • , Xn~i) = 
6i(T{u)) for u running from to 2^^ — 1. The following proposition holds. 

2.2. Proposition. ([ Proposition 3.9]) A mapping T: Z/2" Z/2"' {resp., a mapping T: Z2 ^ Z2) 
is compatible iff each Boolean function rf {xoi Xi) • • •) = ^iiTiu)), i = 0, 1, 2, . . ., does not depend on 
the variables Xj = for j > i. 

Note. Mappings satisfying conditions of the proposition are also known in the theory of Boolean 
functions as triangle mappings; the term T-functions is used in [17], [16], [15] instead. For multivariate 
mappings theorem 2.2 holds either: A mapping T = {ti,...,ts): (Za)^ ^ (Z2)W is compatible iff 
each Boolean function (xi,o, • • ■,Xr,o,Xr,i, ■ ■ ■) = Si{tk{u, . . .,Ur)) {i £ Nq, k = 0,1, . . . , s) does 
not depend on the variables Xi,j = ^jWi) for j > i (£ = 1, 2, . . . , r). 

Now, given a compatible mapping T : Z2 TLi, one can define an induced mapping T mod 
2": Z/2" Z/2" assuming (T mod 2")(z) = T{z) mod 2" = (r(z)) and(2"-1) for z = 0, 1, . . . , 2" - 1. 
Obviously, T mod 2" is also compatible. For odd prime p, as well as for multivariate case T: (Zp)'^ 
{ZpY an induced mapping T mod could be defined by analogy. 

2.3. Definition. (See [5]). We call a compatible mapping T: Zp Zp bijective modulo p^ iff the 
induced mapping T mod p"' is a permutation on "L/p"^; we call T transitive modulo p", iff T mod 

is a permutation with a single cycle. We say that T is measure-preserving (respectively, ergodic), 
iff T is bijective (respectively, transitive) modulo p" for all n G N. We call a compatible mapping 
T: i^pY — > (Zp)* balanced modulo p^ iff the induced mapping T mod p" maps {JLjp^Y onto (Jj/p^Y, 
and each element of (TLjp^Y has the same number of preimages in {'L/p'^y. Also, the mapping 
T: {lipY — > (Zp)* is called measure-preserving iff it is balanced modulo p^ for all n S N.^ 

Both transitive modulo p" and balanced modulo p" mappings could be used as building blocks of 
pseudorandom generators to provide both long period and uniform distribution of output sequences. 
The following obvious proposition holds. 



The terms measure-preserving and ergodic originate from the theory of dynamical systems. Namely, a mapping 
T: Zp — > is compatible iff it satisfies Lipschitz condition with a constant I with respect to the p-adic metric; T defines 
a dynamics on the measurable space Zp with respect to the normalized Haar measure. The mapping T is, e.g., ergodic 
with respect to this measure (in the sense of the theory of dynamical systems) iff it satisfies 2.3, see [5] for details. 
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2.4. Proposition. If the state transition function f of the automaton 21 is transitive on the state set 
N, i.e., if f is a permutation with a single cycle of length \N\; if, further, \M\ is a factor of \N\, 
and if the output function F : N ^ M is balanced {i.e., \F~^{s)\ = \F~^{t)\ for all s,t M), or, in 
particular, bijective, then the output sequence S of the automaton 21 is purely periodic with a period 
of length \N\ (i.e., maximum possible), and each element of M occurs at the period the same number 
of times: exactly. That is, the output sequence S is uniformly distributed. 

2.5. Definition. Further in the paper we call a sequence S = {sj G M} over a finite set M purely 
periodic with a period of length t iff Sj+t = Si for all i = 0, 1, 2, . . .. The sequence S is called strictly 
uniformly distributed iff it is purely periodic with a period of length t, and every element of M occurs 
at the period the same number of times, i.e., exactly pgy . A sequence {sj G Zp} of j5-adic integers is 

called strictly uniformly distributed modulo p^ iff the sequence {sj mod p^^ of residues modulo p}^ is 
strictly uniformly distributed over a residue ring "L/p^ . 

Note. A sequence {si ^TL^: z = 0, 1, 2, . . .} of p-adic integers is uniformly distributed (with respect to 
the normalized Haar measure [i on Zp) ^ iff it is uniformly distributed modulo p*^ for all A; = 1, 2, . . .; 
that is, for every a G "Ljp^ relative numbers of occurrences of a in the initial segment of length ^ in the 
sequence {sj mod p^^ of residues modulo p^ are asymptotically equal, i.e., lim^^oo = where 

A(a,£) = \{si = a (mod p^): i < i}\ (see [20] for details). So strictly uniformly distributed sequences 
are uniformly distributed in the common meaning of the theory of distribution of sequences. 

Thus, assuming N^= Z/2",M = Z/2™,n = km, f = J = / mod 2" and F = F = F mod 2*", 
where the function / : Z2 — > Z2 is compatible and ergodic, and the function F : (l^'i)^ — > Z2 is 
compatible and measure-preserving, we obtain an automaton that generates a uniformly distributed 
periodic sequence, and length of a period of this sequence is 2". That is, each element of Z/2'" occurs 
at the period the same number of times (namely, 2"""^). Obviously, the conclusion holds if one takes 
as F an arbitrary composition of the function F = F mod 2™ with a measure-preserving function: For 
instance, one may put F{i) = F{'n{i)) or F{i) = 5'j{i), etc. Thus, proposition 2.4 makes it possible to 
vary both the state transition and the output functions (for instance, to make them key-dependent, 
or in order to achieve better performance^'') leaving the output sequence uniformly distributed. 

There exists an easy way to construct a measure preserving or ergodic mapping out of an arbitrary 
compatible mapping, i.e., out of an arbitrary composition of both arithmetic (2.1.1) and logical (2.1.2) 
operators. 

2.6. Proposition. [0, Lemma 2.1 and Theorem 2.5]. Let A be a difference operator, i.e., Ag(x) = 
g{x + 1) — g{x) by the definition. Let, further, p be a prime, let c be a coprime with p, gcd(c,p) = 1, 
and let g: Zp ^ Zp be a compatible mapping. Then the mapping z ^ c + z + p ■ Ag{z) {z G Zp) is 
ergodic, and the mapping z 1— > d + cx + p ■ g{x) preserves measure for an arbitrary d. Moreover, if 
p = 2, then the converse also holds: Each compatible and ergodic {respectively, each compatible and 
measure preserving) mapping z 1— > f{z) (z G Z2) could be represented as f{x) = 1 + 2; + 2 • Ag{x) 
{respectively, as f{x) = d -\- x + 2 ■ g{x)) for suitable d G Z2 and compatible 5: Z2 — > Z2. 



'i.e., ^(a + p'"Ly) = p"* for all a e Zp and all fc = 0, 1, 2 

'^e.g., in [17] there was introduced a fast generator of this kind: f{x) = (x + [x^ or C)) mod 2^", F{x) = [^J mod 2' 
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2.7. Corollary. Let p = 2, and let f be a compatible and ergodic mapping ofTLi onto itself. Then for 
each n = 1,2,... the state transition function f mod 2" could be represented as a finite composition 
of bitwise logical and arithmetic operators. 

For the sequel we need one more representation, in a Boolean form (see 2.2). The following the- 
orem is just a restatement of a known result from the theory of Boolean functions, the so-called 
bijectivity/transitivity criterion for triangle Boolean mappings. However, the criterion belongs to the 
mathematical folklore; thus it is difficult to attribute it to somebody, yet a reader could find a proof 
in, e.g., [3, Lemma 4.8]. Recall that every Boolean function ip{xo, ■ ■ ■ Xn) in the Boolean variables 
Xoi • • • Xn admits a unique representation in the form 

^{XO,---Xn)= Yl ^eo,...,e„xl°---Xl" (mod 2), 

eo,...,e„e{0,l} 

where ^eo,...,£„ E {0, 1}; the sum in the right hand part is called an algebraic normal form (ANF) of 
the Boolean function tp. The degree degV' is maxjeo + • • • + £n - S,eo,---,e„ = 

2.8. Theorem. A mapping T: Z2 ^ is compatible and measure-preserving iff for each i = 0,1, . . . 
the ANF of the Boolean function rf = (5j(T) in Boolean variables xoi ■ ■ ■ :Xi could be represented as 

rlixo, ■■■,Xi) = Xi + fliXo, Xi~i), 

where ipj is a Boolean function. The mapping T is compatible and ergodic iff, additionally, the Boolean 
function iff is of odd weight, that is, takes value 1 exactly at the odd number of points {eq, . . . ,ej_i), 
where ej G {0, 1} for j = 0,1, . . . ,i — 1. The latter holds if and only if ip^ = 1 and degree of ipf for 
i > 1 is exactly i, that is, the ANF of iff contains a monomial Xo' ' ' Xi-i- 

2.9. Corollary. There are exactly 2^""""-'^ compatible and transitive mappings of'Z/2^ onto Z/2'^. 
From theorem 2.8 follows an easy way to produce new ergodic functions out of given ones: 

2.10. Proposition. For any ergodic f and any compatible v the following functions are ergodic: 
f{x + 4 • v{x)), f{x ® (4 • vix))), f{x) + 4 • v{x), and f{x) ® (4 • v{x)). 

With the use of theorem 2.8 one can determine whether a given compatible mapping / preserves 
measure (or is ergodic) assuming it is bijective (respectively, transitive) modulo 2*^ and studying 
behaviour of the Boolean function 5n{f)- This approach is called a bit-slice analysis in [17], [16], and 
[15]. More 'analytic' techniques based on p-adic differential calculus and Mahler interpolation series 
were developed in [9], [3], and [5]; see also [21], [19] and [7] for various examples of compatible and 
ergodic functions, for instance: 

• (see [9], [3]) The function f{x) = a + ai(x © 61) + • • • + ak{x ® bk) is ergodic iff it is transitive 
modulo 4; 

• (see [9], [3]) The function f{x) = a + oq • 6o{x) + ai ■ 5i{x) + ■ ■ ■ is compatible and ergodic iff 
a = 1 (mod 2), Qq = 1 (mod 4), and Oj = (mod 2*), Oj ^ (mod 2*+^) for i = 1, 2, . . .; 

• (see [! !•]) The function 

f{x) = {... ((((x + Co) © do) + ci) © di) + • • • + Cm) © dm, 

is ergodic iff / is transitive modulo 4; 

• (see [17]) The function /(x) = x + ((x^)ORc) is ergodic iff c = 5 (mod 8) or c = 7 (mod 8) 
(an equivalent statement — iff / is transitive modulo 8) ; 
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• (see [21]) The polynomial f{x) = oq + aix + • • • + a^x^^ with integral coefficients is ergodic iff 
the following congruences hold simultaneously: 

as + as + a? + ag H = 2a2 (mod 4); 04 + ae + as H = oi + 02 - 1 (mod 4); 

ai = 1 (mod 2); = 1 (mod 2) 

(an equivalent statement — iff / is transitive modulo 8) ; 

• (see [5]) A polynomial of degree d with rational (and not necessarily integral) coefficients is 
integer- valued, compatible, and ergodic iff / takes integral values at the points 

0, 1, ... , 2L'°S2(<i'=g/)J+3 _ 1^ 

and the mapping 

f{z) mod2L'°S2('i^s/)J+3, 

is compatible and transitive on the residue class ring Z/2L^°^2 '^J+s (i.e., modulo the biggest 
power of 2 not exceeding Sd); 

• (see [9], [3]) The entire function f{x) = jt^^^i where u{x),v{x) are polynomials with integral 
coefficients, is ergodic iff it is transitive modulo 8; 

• (see [7, Example 3.6]) The function f{x) = ax + is ergodic iff a is odd (an equivalent 
statement — iff / is transitive modulo 2). 

A multivariate case was studied in [15], [8]; see also [5, Theorem 3.11]. Multivariate ergodic map- 
pings could be of use in order to produce longer periods out of shorter words operations: For instance, 
to obtain a period of length 2^^^ one may use either univariate ergodic functions (hence, 256-bit 
operands) or he may use 8-variate ergodic functions and work with 32-bit words. Multivariate ergodic 
mappings of [15] are conjugate to univariate ones (see [S]); hence despite all further results are stated 
for a univariate case, they hold for these multivariate mappings as well. Thus a designer could use 
further constructions either with longer words organized into 1-dimensional arrays, or with shorter 
words organized into arrays of bigger dimensions. 

3. Constructions 

In this section we introduce a method to construct counter dependent pseudorandom generators 
out of ergodic and measure-preserving mappings. The method guarantees that output sequences of 
these generators are always strictly uniformly distributed. Actually, all these constructions are wreath 
products of automata in the sense of 2.1; the following results give us conditions these automata should 
satisfy to produce a uniformly distributed output sequence. Our main technical tool is the following 

3.1. Theorem. Let Q = {qq, . . . , gm-i} be a finite sequence of compatible measure preserving mappings 
of 7Li onto itself such that 

(1) the sequence {((?« mod m(0)) mod 2: i = 0,1,2, ...} is purely periodic, its shortest period is of 
length m; 

(2) J:T=o' 9^{0) ^ I (mod 2); 

(3) E7=o' Eto' 9,{z) = 2^= (mod 2'=+i) for all k = 1,2, ... . 

Then the recurrence sequence Z defined by the relation Xj+i = gimodmixi) is strictly uniformly dis- 
tributed modulo 2" for all n = 1,2, ... : That is, modulo each 2" the sequence Z is purely periodic, its 
shortest period is of length 2"m, and each element o/Z/2" occurs at the period exactly m times. 
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Note. In view of 2.8 condition (3) of theorem 3.1 could be replaced by the equivalent condition 

m— 1 

5^ Coefo,...,fc_i(v^i) = 1 (mod 2) (/c = 1, 2, . . .), 

where Coefo,...,A:-i(v') is a coefficient of the monomial Xo' ' ' Xk-i in the Boolean polynomial ip. 
It turns out that the sequence 2^ of 3.1 is just the sequence 3^ of the following 

3.2. Lemma. Let cq, . . . ,Cm,-i he a finite sequence of 2-adic integers, and let go, . . . ,gm~i be a finite 
sequence of compatible mappings of Z2 onto itself such that 

(i) gj{x) = X + Cj (mod 2) for j = 0, 1, . . . , m — 1, 

(ii) TJj=oCj = 1 (mod 2), 

(iii) the sequence {cj mod m mod 2 : i = 0, 1, 2, . . .} is purely periodic, its shortest period is of length 
m, 

(iv) 6k{gj{z)) = Ck + V'i(Co, • • • ,Cfc-i) (mod 2), k = l,2,..., where (r = Sr{z), r = 0,1,2,..., 

(v) for each k = 1,2,... an odd number of Boolean polynomials ip-j^ in the Boolean variables 
Co, • • • , Cfc-i ^'"c 0/ odd weight. 

Then the recurrence sequence y = {xi £ Z2} defined by the relation Xj+i = gimodmixi) is strictly 
uniformly distributed: It is purely periodic modulo 2^ for all k = 1,2,...; its shortest period is of length 
2^m; each element of 1^/2^ occurs at the period exactly m times. Moreover, 

(1) the sequence = {5s{xi) : i = 0, 1, 2, . . .} is purely periodic; it has a period of length 2^~^^m, 

(2) (5s(xi+2»m) = 5s{xi) + 1 (mod 2) for all s = 0,1, ... ,k - I, i = 0,1,2, .. ., 

(3) for each t = 1,2, . . . , k and each r = 0, 1, 2, . . . the sequence 

Xr mod 2*, Xr+m mod 2*, Xr+2m mod 2*, . . . 

is purely periodic, its shortest period is of length 2* , each element 0/ Z/2* occurs at the period 
exactly once. 

3.3. Note. Assuming m = 1 in 3.1 one obtains ergodicity criterion 2.8. 

3.4. Corollary. Let a finite sequence of mappings {go, . . . , g^-i} 0/ Z2 into itself satisfy condi- 
tions of theorem 3.1, and let {Fq, . . . , he an arbitrary finite sequence of balanced {and not 
necessarily compatible) mappings of Z/2" {n > 1) onto Z/2*^, 1 < k < n. Then the sequence 

mod m{,Xi) ■ i — 0, 1, 2 . . .}, wherc Xi^i — gi mod mixi) mod 2", is strictly uniformly distributed 
over Z/2^ : It is purely periodic with a period of length 2"m, and each element o/Z/2^ occurs at the 
period exactly 2"~'^m times. 

Theorem 3.1 and lemma 3.2 together with corollary 3.4 enables one to construct a counter-dependent 
generator out of the following components: 

• A sequence cq, . . . , Cm-i of integers, which we call a control sequence. 

• A sequence ho, ... , h^-i of compatible mappings, which is used to form a sequence of clock 
state update functions gi (see e.g. examples 3.5). 

• A sequence Hq, . . . , Hm-i of compatible mappings to produce clock output functions Fi (see 
e.g. proposition 4.9). 
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Note that ergodic functions that are needed to meet conditions of 4.9 or 3.5 (3) could be produced out 
of compatible ones with the use of 2.6 or 2.10. A control sequence could be produced by an external 
generator (which in turn could be a generator of the kind considered in this paper), or it could be 
just a queue the state update and output functions are called from a look-up table. The functions 
hi and/or Hi could be either precomputed to arrange that look-up table, or they could be produced 
on-the-fly in a form that is determined by a control sequence. This form may also look 'crazy', e.g., 

(3.4.1) hi{x) = {■■■ {{uo{6o{ci)) Osi{c,)Mc.) M^sici))) Os4{c,)Mc^) M^aici))) • • • > 

where Uj{0) = x, the variable, and Uj{l) is a constant (which is determined by q, or is read from 
a precomputed look-up table, etc.), while (say) Oo,o = +> an integer addition, Oi,o = an integer 
multiplication, Oo,i = XOR, Oi,i = and. There is absolutely no matter what these hi and Hi look 
like or how they are obtained, the above stated results give a general method to combine all the data 
together to produce a uniformly distributed output sequence of a maximum period length. 

3.5. Examples. These are obtained with the use of 3.2, 2.8, 2.10, and (5.0.2). 

(1) A control sequence could be produced by the generator 21 = ,Z/2^ , f, F,uo) (see Section 
2) with ergodic state update function / and measure-preserving output function F. Then 
length of the shortest period of the control sequence is m = 2*, see 2.4. Take m arbitrary 
ergodic functions ho, . . . , hm^i and arbitrary odd k G {0, 1, . . . , m — 1}, and put go{x) = 
x®{x + l)®ho{x),.. . ,gk-i = xe{x + l)®hk-i{x), gu = hj,, . . . ,gm-i = hm-i, gi = (Ja modm 
for i = 0, 1,2, . . .. In other words, in this case the control sequence just define the queue the 
functions gj are called, thus producing the output sequence 

xo,xi = gcoixo) mod 2",X2 = (jciixi) mod 2*^, . . . 

Obviously, in this example a control sequence could be an arbitrary permutation of 0, 1, . . . , 2'^ — 
1 , and not necessarily an output of the generator 21. 

(2) Now let {co,.... Cm— i} be an arbitrary sequence of length m — 2*, i.e., cq, . . . , Cm—i aiG not 
necessarily pairwise distinct. Let {/iq, . . . , /im-i} be arbitrary compatible and ergodic map- 
pings. For < j < m — 1 put gj{x) = cj + hj{x). These mappings gj satisfy conditions of 
theorem 3.1 if and only if z2j=o = ^ (mod 2). 



one may also put gj{x) = (cj + a;) ® (2 ■ hj{x)). 
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Figure 3. Wreath product basic circuit of Examples 3.5, (2)-(4). 

(3) For m > 1 odd let {/iq, • • • , hm-i} be a finite sequence of compatible and ergodic mappings; 
let {co, . . . , Cm-i} be a finite sequence of integers such that 



E 



m—l 



(mod 2), and 



jj=0 "-J 

• the sequence {q mod m mod 2 : i = 0, 1, 2, . . .} is purely periodic with the shortest period 
of length m. 

Put gj{x) = Cj © hj{x) (respectively, gj{x) = Cj + hj{x)). Then gj satisfy conditions of 3.1. 
(4) The conditions of (3) are satisfied in the case m = 2^ — 1 and {cq, . . . ,Cm-i} is the output 
sequence of a maximum period linear feedback shift register over Z/2 with s cells. 

A basic circle illustrating these example wreath products is given at Figure 3. A number of counter 
dependent generators could be derived from 3.5 by taking explicit expressions for involved mappings. 
For instance, one can obtain the following result, which is a variation of theme of [IG, Theorem 3]). 



Take odd m > 1 and consider a finite sequence Cq, . 
52{Cj) = 1, J = 0, 1, . . . , m — 1. Let a sequence {cj : j 



,Cm-i of integers such that 5o{Cj) = 1 and 



0, 1,2,.. .} satisfy conditions of 3.5(3). Then 
the sequence {xj+i = (xj + Cj + {x'j OR Q)) mod 2"^ : i = 0, 1, 2, . . .} is purely periodic modulo 2^ for 
all A; = 1, 2, . . . with the shortest period of length 2^m, and each element of 1^/2^ occurs at the period 
exactly m times. This is a stronger claim in comparison with that of [Ki, Theorem 3]): Not only the 
sequence of pairs {yi,Xi) defined by Ui+i = [yi + 1) mod m; Xj+i = (xj + q + {xf OR CyJ) mod 2" is 
periodic with a period of length 2"m, yet length of the shortest period of the sequence {xj} is 2"m. 
The latter could never be achieved under conditions of Theorem 3 of [ I (>]: They imply that the length 
of the shortest period of the sequence {xi (mod 2)} is 2, and not 2m. 

4. Properties of output sequences 

Distribution of fc-tuples. The output sequence Z of any wreath product of automata that satisfy 
3.1 is strictly uniformly distributed as a sequence over Z/2" for all n. That is, each sequence Zn 
of residues modulo 2" of members of the sequence Z is purely periodic, and each element of Z/2"' 
occurs at the period the same number of times. However, when this sequence Z^ is used as a key- 
stream, that is, as a binary sequence Z'^ obtained by a concatenation of successive n-bit words of 
-Z, it is important to know how n-tuples are distributed in this binary sequence. Yet strict uniform 
distribution of an arbitrary sequence T as a sequence over Z/2" does not necessarily imply uniform 
distribution of n-tuples, if this sequence is considered as a binary sequence T' . 

For instance, let T = 023102310231 .... This sequence is strictly uniformly distributed over Z/4; 
the length of its shortest period is 4. Its binary representation is 7^' = 000111100001111000011110 . . . 
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Considering T as a sequence over Z/4, each number of {0,1,2,3} occurs in the sequence with the 
same frequency j. Yet if we consider T in its binary form 7^', then 00 (as weU as 11) occurs in this 
sequence with frequency |, whereas 01 (as well as 10) occurs with frequency |. 

In this subsection we show that such an effect does not take place for output sequences of automata 
described in 3.1, 3.2, and 3.5: Considering any of these sequences in a binary form, a distribution of 
k-tuples is uniform, for all k < n. Now we state this property formally. 

Consider a (binary) n-cycle C = {eqEi . . . En-i), i-e., an oriented graph on vertices {oq, ai, . . . , a„_i} 
and edges 

{(«o,ai), («i,02),- • • , (an-2,an-i), (an-i,oo)}, 

where each vertex Uj is labelled with Sj G {0, 1}, j = 0, 1, . . . , n — 1. (Note that then (eoei . . . £n-i) = 
(e„_ieo • • • Sn~2) = • • •) etc.). Clearly, each purely periodic sequence S over Z/2 with period . . . On-i 
of length n could be related to a binary n-cycle C{S) = (oq ■ . . Oin-i)- Conversely, to each binary n- 
cycle (ao • • • c^n-i) we could relate n purely periodic binary sequences with periods of length n: Those 
are n shifted versions of the sequence 

ao . . . ttn-iao • • • ttn-l 

Further, a k-chain in a binary n-cycle C is a binary string f3Q . . . (3k-i, k < n, that satisfies the 
following condition: There exists j G {0, 1, . . . , n — 1} such that (3i = £(i+j) mod „ for i = 0, 1, . . . , A; — 1. 
Thus, a fc-chain is just a string of length k of labels that corresponds to a chain of length A; in a graph 
C. We call a binary n-cycle C k-fuH, if each /c-chain occurs in the graph C the same number r > of 
times. 

Clearly, if C is /c-full, then n = 2^r. For instance, a well-known De Bruijn sequence is an n-full 
2"'-cycle. Clearly enough that a A;-full n-cycle is {k — l)-full: Each (k — l)-chain occurs in C exactly 
2r times, etc. Thus, if an n-cycle C{S) is /c-full, then each m-tuple (where 1 < m < k) occurs in the 
sequence S with the same probability (limit frequency) That is, the sequence S is k- distributed, 
see [18, Section 3.5, Definition D]. 

4.1. Definition. A purely periodic binary sequence S with the shortest period of length is said to 
be strictly k-distributed iff the corresponding A-cycle C{S) is /c-full. 

Thus, if a sequence S is strictly /c-distributed, then it is strictly s-distributed, for all positive s < k. 

4.2. Tiieorem. For the sequence Z of theorem 3.1 each binary sequence Z'^ is strictly k-distributed 
for all k = 1,2, ... ,n. 

4.3. Note. Theorem 4.2 remains true for the sequence J- of corollary 3.4, where Fj{x) = \_ ^^_k \ mod 2^, 
j = 0,1, ... ,m — 1, sl truncation of (n — k) less significant bits. Namely, a binary representation T'^ of 
the sequence J- is a purely periodic strictly k-distributed binary sequence with a period of length 2^mk. 

Theorem 4.2 treats an output sequence of a counter-dependent automaton as an infinite (though, a 
periodic) binary sequence. However, in cryptography only a part of a period is used during encryption. 
So it is natural to ask how 'random' is a finite segment (namely, the period) of this infinite sequence. 
According to [J N, Section 3.5, Definition Ql] a finite binary sequence £q£i . . . £n-i of length A^ is said 
to be random, iff 
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for all < A; < log2 N, where z/(/3o • • • /3fe-i) is the number of occurrences of a binary word /3o • • • Pk-i 
in a binary word eqEi . . . £n~i- If a finite sequence is random in the sense of this Definition Ql of [18], 
we shall say that this sequence satisfies Ql. We shall also say that an infinite periodic sequence satisfy 
Ql iff its shortest period satisfies Ql. Note that, contrasting to the case of strict ^-distribution, 
which implies strict {k — l)-distribution, it is not enough to demonstrate only that (4.3.1) holds 
for k = [log2 A^J to prove a finite sequence of length N satisfies Ql: For instance, the sequence 
1111111100000111 satisfies (4.3.1) for k = [loga iVj = 4 and does not satisfy (4.3.1) for A; = 3. 

4.4. Corollary. The sequence Z'^ of theorem 4-2 satisfies Ql if m <—. Moreover, in this case under 
the conditions of 4-3 the output binary sequence still satisfies Ql if one truncates < k < ^ — log2 f 
lower order bits (that is, if one uses clock output functions Fj of 4.3). 

We note here that according to 4.4 a control sequence of a counter-dependent automaton (see 3.1, 
3.2, 3.4, and the text and examples thereafter) may not satisfy Ql at all, yet nevertheless a corre- 
sponding output sequence necessarily satisfies Ql. Thus, with the use of wreath product techniques 
one could stretch 'non-randomly looking' sequences to 'randomly looking' ones. 

Structure. A recurrence sequence could be 'very uniformly distributed', yet nevertheless could have 
some mathematical structure that might be used by an attacker to break the cipher. For instance, 
a clock sequence Xj = i is uniformly distributed in Z2; moreover, its counterpart in the field M of 
real numbers, the so-called Van der Corput sequence Ui = i ■ 2~l-iog2 «J-i^ has the least (of the known) 
discrepancy, see [20]. We are going to study what structure could have sequences outputted by our 
counter-dependent generators. 

Theorem 3.1 immediately implies that the j^^ coordinate sequence dj{Z) = {6j{xi) : z = 0, 1, 2, . . .} 
(j = 0, 1, 2, . . .) of the sequence Z, i.e., a sequence formed by all j^^ bits of members of the sequence 
Z, has a period not longer than m • 2^~^^. Moreover, the following could be easily proved: 

4.5. Proposition. (1) The j^^ coordinate sequence Sj{Z) is a purely periodic binary sequence with a 
period of length 2^~^^m, and (2) the second half of the period is a bitwise negation of the first half: 
^j{xi+2^m) = + 1 (mod 2), i = 0,1,2,... 

This means that the j**^ coordinate sequence of the sequence of states of a counter-dependent 
generator is completely determined by the first half of its period; so, intuitively, it is as 'complex' as 
the first half of its period. Thus we ought to understand what sequences of length 2^m occur as the 
first half of the period of the j^^ coordinate sequence. 

For j = (and m > 1) the answer immediately follows from 3.1 and 3.2 — any binary sequence 
Co, ... , Cm-i such that X^^Jq Cj = 1 (mod 2) does. It turns out that for j > any binary sequence 
could be produced as the first half of the period of the j'^ coordinate sequence independently of other 
coordinate sequences. 

More formally, to each sequence Z described by theorem 3.1 we associate a sequence T{Z) = 
{71, 72, . . .} of non-negative rational integers 7j such that < 7^- < 2'^^"^ — 1 and the base-2 expansion 
of 7j agrees with the first half of the period of the j^^ coordinate sequence Sj{Z) for all j = 1, 2, . . .; 
that is 

7j = 5j{xo) + 2 • 6j{xi) + 4 • 6j{x2) + • • • + 2^'"^-^ ■ <5j(x2.™_i), 
where xq is an initial state; Xj+i = gimodm{xi), z = 0, 1,2, . . .. Now we take an arbitrary sequence 
T{Z) = {7i,72,---} of non- negative rational integers 7^ such that < 7^ < 2^''™' — 1 and wonder 
whether this sequence could be so associated to some sequence Z described by theorem 3.1. 
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The answer is yes. Namely, the following theorem holds. 

4.6. Theorem. Let m > 1 he a rational integer, and let T = {71,72, •••} be an arbitrary sequence 
over No such that 7j G {1, 2, . . . , 2^^™ — 1} for all j = 1,2, ... . Then there exist a finite sequence 
G = {501 • • • jfi'm-i} of compatible measure preserving mappings 0/Z2 onto itself and a 2-adic integer 
xq = z £ 1i2 such that Q satisfies conditions of theorem 3.1, and the base-2 expansion of -fj agrees 
with the first 2^m terms of the sequence Sj{Z) for all j = 1,2,... , where the recurrence sequence 
Z = {xo, xi, . . . £ Z2} is defined by the recurrence relation Xi^i = gi raoAm.{xi), (i = 0, 1, 2, . . . ). In 
the case m = 1 the assertion holds for an arbitrary T = {70, 71, . . . }, where "fj G {1, 2, . . . , 2^^ — 1}, 
i = 0,1,2,.... 

Linear complexity. The latter is an important cryptographic measure of complexity of a binary 
sequence; being a number of cells of the shortest linear feedback shift register (LFSR) that outputs 
the given sequence^^ it estimates dimensions of a linear system an attacker must solve to obtain initial 
state. 

4.7. Theorem. For Z and m of theorem 3.1 let Zj = 6j{Z), j > 0, be the j^^ coordinate sequence. 
Represent m = 2^r, where r is odd. Then length of the shortest period of Zj is 2^~^^~^^s for some 
s G {1,2, . . . ,r}, and both extreme cases s = 1 and s = r occur: For every sequence si,S2, ■ ■ ■ over 
a set {I,?'} there exists a sequence Z of theorem 3.1 such that length of the shortest period of Zj is 
2^+3+^Sj, {j = 1, 2, . . .). Moreover, linear complexity "if2{Zj) of the sequence Zj satisfies the following 
inequality: 

2k+J + 1 < ^2{Zj) < 2^+^r + 1. 
Both these bounds are sharp: For every sequence ti,t2, ■ ■ ■ over a set {l,r} there exists a sequence Z 
of theorem 3.1 such that linear complexity of Zj is exactly 2^'^Hj + 1, (j = 1,2, . . .). 

Note. Somewhat similar estimates hold for 2-adic span (see definition in [14]), one more cryptographic 
measure of complexity of a sequence. We have to omit exact statements due to space limitations. 

Whereas the linear complexity of a binary sequence X is the length of the shortest LFSR that 
produces X, the (.-error linear complexity is the length of the shortest LFSR that produces a sequence 
with almost the same (with the exception of not more than I members) period as that of X; that 
is, the two periods coincide everywhere but at t < £ places. Obviously, a random sequence of length 
L coincides with a sequence that has a period of length L approximately at places. That is, the 
^-error linear complexity makes sense only for ( < 1^. The following proposition holds. 

4.8. Proposition. Let Z be a sequence of Theorem 3.1, and let m = 2^ > 1. Then for I less than 
the half of the length of the shortest period of the j-th coordinate sequence 5j{Z), the (-error linear 
complexity of 6j{Z) exceeds 2^~^"^~^ , the half of the length of its shortest period. 

From 4.7 it follows that the less is j, the shorter is a period (and the smaller is linear complexity) 
of the coordinate sequence Zj. This could be improved by truncation of less significant bits (see 4.4) 
or, if necessary, with the use of clock output functions of special kind: 

4.9. Proposition. Let iifj : Z2 ^ Z2 (i = 0, 1, 2, . . . , m — 1) be compatible and ergodic mappings. For 
X £ {0, 1, . . . , 2" — 1} let Fi[x) = (Hi{TT{x))) mod 2", where n is a permutation of bits of x £ Z/2" such 
that (5o(vr(x)) = 6n-i{x). Consider a sequence T of 3.4- Then the shortest period of the j*'* coordinate 

^^i.e., degree of the minimal polynomial over Z/2 of the given sequence 
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sequence Tj = Sj{J^) {j = 0, 1, 2, . . . , ?i — 1) is of length for a suitable I < kj < m. Moreover, 
linear complexity of the sequence J-j exceeds 2"'~^ . 

Note. In view of Note 3.3, all the results of Section 4 remain true for compatible mappings T: Z2 ^ Z2 
(i.e., for T-functions) either. 



5. Security issues 

The paper introduces design techniques that guarantees in advance that the so constructed gener- 
ator, which dynamically modifies itself during encryption, will meet certain important cryptographic 
properties; namely, long period, uniform distribution and high linear complexity of the output se- 
quence. The techniques can not guarantee per se that every such cipher will be secure — obvious 
degenerative cases exist. On the other hand, if clock state update functions gi are chosen arbitrarily 
under the conditions of 3.1, and clock output functions Fi just truncate k low order bits. A; ~ ^ (see 
4.4), theorem 4.6 leaves no chance to an attacker to break such a scheme. Yet in practice we can not 
choose gi arbitrarily; restrictions are determined by concrete implementations, which are not discussed 
here. 

In this section we are going to give some evidence that with the use of the techniques described 
above it might be possible to design stream ciphers such that the problem of their key recovery is 
intractable up to the following conjecture: Choose (randomly and independently) k < n ANF's il>i 
in n Boolean variables XO) • • • ^Xn-i from the class of ANF's with polynomially restricted number of 
monomials. Consider a mapping F: — > 1^/2^: 

F{x) = Fixo,-- ■ ,Xn-i) = V'o(xo, • • • ,Xn-l) © V'l(XO,- • • ,Xn-l) • 20 • • • © Vfc-i(xo, ■ ■ ■,Xn-l) ' 2''"\ 

where Xj = ^i(^) foi^ ^ ^ Z/2". We conjecture that this function F is one-way, that is, one could 
invert it (i.e., could find an F-preimage in case it exists) only with a negligible in n probability. Note 
that to find any F-preimage, i.e., to solve an equation F{x) = y in unknown x one has to solve a 
system of k Boolean equations in n variables. Yet to determine whether k ANF have common zero is 
an NP-complete problem, see e.g. [13, Appendix A, Section A7.2, Problem ANT- 9]. 

Of course, it is not sufficient to conjecture F is one-way in case we only know that the problem of 
whether F-preimage exists is A^P-complete; it must be hard in average to invert F. However, to our 
best knowledge, no polynomial-time algorithms that solve random systems of k Boolean equations in 
n variables for so restricted k are known. The best known results are polynomial-time algorithms that 
solve so-called overdefined Boolean systems of degree not more than 2, i.e., systems where the number 
of equations is greater than the number of unknowns and where each ANF is at most quadratic, see 
[11], [12]. 

Proceeding with the above plausible conjecture, to each ANF ipi, i = 0,1,2, . . . ,k — 1 we relate a 
mapping \I'i: Z2 — > Z2 in the following way: ^'i(rE) = ^pi{6o{x), . . . ,6n-i{x)) E {0,1} C Z2. Now to 
each above mapping F we relate a mapping 

frix) = (1 + x) © 2^^+! • F{x) = (1 + x) © 2"+i • ^o{x) © 2"+^ . ^^(x) © • • • © 2"+^= • ^k-i{x) 

of Z2 onto itself. Clearly, 

'l®6oix), ifj = 0; 
^jifpix)) = < 6j{x) © So{x) ■ ■ ■ 6j^i{x), if < i < n; 

^6j{x) © 6o{x) ■ ■ ■ 6j_i{x) © ipj^n-ii^oix), 6n-i{x)), iin + l<j<n + k. 
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In view of 2.8 the mapping fp: Z2 — > is compatible and ergodic for any choice of ANF's ipQ, . . . , ipk-i- 
Now for m = 2" and i = 0, 1, 2, . . . , m—1 choose arbitrarily and independently mappings Fi : Z/2" 
of the above kind. Put do = . . . = d2^-z = 0, d2n-2 = d2"-i = 1, and consider a recurrence 
sequence of states a^j+i = d^ mod m ®/i^imodm(^i) a corresponding output sequence g{xQ), g{xi), . . . 
over where g{x) = [ ^^+1 J mod 2*^, a truncation. In view of 3.5 the output sequence satisfy 3.4. 

We shall always take a key z £ {0, 1, . . . , 2" — 1} as an initial state xq. Let z be the only information 
that is not known to an attacker, let everything else, i.e., n, k, fpi, di, and g, as well as the first s 
members of the output sequence {ui}, be known to him. Since 5o{x) ■ ■ ■ 5j-i{x) = 1 iff x = — 1 
(mod 2^), with probability 1 — e (where e is negligible if s is a polynomial in n) he obtains a sequence^^: 

(5.0.1) yo = Fo{z), ?/o © yi = Fi(z + 1), . . . , y,_2 © Vs-i = Fs^i{z + s - I) 

To find z the attacker may try to solve any of these equations; he could do it with a negligible 
advantage, since Fi is one-way. Of course, the attacker may try to express z + i as a. collection of 
ANF's (5o(z + i), . . . ^5n-i{z + i) in the variables xo = '^0(^)5 ■■ ■ ,Xn-i = ^n-iiz), then substitute these 
ANF's for the variables into the ANF's that define mappings Fi, to obtain an overdefined system (5.0.1) 
in unknowns XOj • • • > Xn-i- However, the known formula (see e.g. [l] and fix an obvious misprint there) 

i-i i-i 

(5.0.2) 5j{z + i) = xj + + ^r{i) ■ Xr n ('^*(^) + (™°^ 2); 

r=0 t=r+l 

implies that the number of monomials in the equations of the obtained system will be, generally 
speaking, exponential in n; to say nothing of that the number of operations to make these substitutions 
and then to collect similar terms is also exponential in n, unless the degree of all ANF's that define 
all Fi is bounded by a constant (the latter is not a case according to our assumptions). 

Finally, our assumption that the attacker knows all Fi seems to be too strong: It is more practical 
to assume that he does not know Fi in 5.0.1, since given clock output (and/or clock state update) 
functions as explicit compositions of arithmetical and bitwise logical operators, 'normally' it is infea- 
sible to express these functions in the Boolean form 2.2: Corresponding ANF's 'as a rule' are sums 
of exponential in n number of monomials, cf. (5.0.2). Moreover, if these clock output functions Fi 
and/or clock state update functions fi are determined by a key-dependent control sequence (say, which 
is produced by a generator with unknown initial state), see Section 3, then the explicit forms of the 
mentioned compositions are also unknown. So in general an attacker has to find an initial state uq 
having only a segment Zj, zj+i, ... of the output sequence formed according to the rule (2.0.1), where 
both fi and Fi are not known to him. An 'algebraic' way to do this by guessing fi and Fi and solving 
corresponding systems of equations seems to be hopeless in view of 2.9 and the above discussion. The 
results of preceding sections^^ give us reasons to conjecture that under common tests the sequence 
Zj, Zj+i, . . . behaves like a random one, so 'statistical' methods of breaking such (reasonably designed) 
ciphers seem to be ineffective as well. 



which is pseudorandom even if F — Fo = Fi — . . ., under additional conjecture (how plausible is it?) that the 
function F constructed above is a pseudorandom function 

^^as well as computer experiments: Output sequences of explicit generators of the kind considered in the paper passed 
both DIEHARD and NIST test suites 
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